problems with recalculated failure rates · statistical failure statistic behaviour random failure...

Prof. Dr.Prof. Dr.--Ing. habil. J. BIng. habil. J. Böörcsrcsöökk

Problems with Recalculated Failure Rates

Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök

� Introduction

� Terms and Parameters to define reliability and safety

� Risks and Hazards

� Reliability- and Functional Safety

� Methods and Procedures to improve Reliability and Safety

� Methods to calculate Reliability and Safety Parameters

� Architectures for Safety Embedded Systems

� Software Requirements

� Diagnostics for Safety Systems

� Different Approaches from different Standards

� Problems with Safety Numbers

� Backwards Calculation

Overview

2


Introduction

� Applications of safety Computer Architecture

� Avionics and astronautics

� Rail technology

� Chemical industries

� Oil and gas industries and Pipelines

� Engineering systems (Press, automatic lathe etc.)

� Robot controls

� Turbines control

� etc.

3


� Safety

� Is Validation and Certification of critical systems according international standards in principle necessary?

� How safe are our systems and plants?

� Can we predict safety?

Introduction

4


� “Wise predictions from the IT”

� Predictions from experts:

� “I think, worldwide is a market for maybe five computers.”Thomas Watson, IBM-Chef 1943

� “But … for what reason shall this be good?”A scientist at the IBM computer department for the development of microchips, 1968

� “There is no reason at all, why someone should have a computer at home.”Ken Olson, President and founder of DEC, 1977

� “640 KByte shall be enough.”Bill Gates, 1981

Introduction

5


Introduction

6

� We have already systems to protect in use.

� Jamnagar Refinary 2006 � Bhopal


Introduction

7


� Buncefield 2006 � Piper Alpha 1988


Introduction

8


� Oil Rig Brasil � BP Oil Rig Mexican Gulf 2010


� 1986 Nuclear power plant in Tschernobyl (Explosion)� 1987 Space Shuttle Challenger (Explosion)� 1988 Oil-rig in the North Sea (Explosion, Fire)� 1989 Oil-tanker Exxon nearby Alaska (Collision, Reef)� 1993 Hoechst AG (Release of gases)� 1994 Ferry from St. Petersburg to Sweden (Sunk)� 1996 Wide-bodied aircraft in the Caribbean (Crash)� 1998 Train accident nearby Enschede (Broken wheel, Collision)� 1999 Fire in the Mont Blanc tunnel (Collision, fire)� 2000 Concorde (Burst tire, Crash)� ...� ...� ...� 2010 Gulf of Mexico (Oil Rig Deep Water Horizons)� 2011 Fukushima (Japan Nuclear power plant – CC failure)

Introduction

9


� And for all these plant´s and facilities we have had valid datas!

Introduction

10


Terms and Parameters to define Reliability and Safety

� Reliability / Safety

� Determining Factors:

� Development of new technologies

� Quality of the component

� Maintenance costs

� Liability costs

� …

11


Risks and Hazards

Risk reduction = Task of Functional Safety

Standard: IEC/EN 61508

12


� Type of Failures

� Components- and devices failures� Faulty Dimension � Manufacturing faults� Circuit faults� Wiring faults� Development faults� Conceptual faults

� Type of failures of programs� Specification faults� Development faults� Implementation faults� Documentation faults

Reliability- and Functional Safety

13



� Random Failure

� Systematic Failure

14




� Dimension Failures

� Size decremented� Size incremented

� Extreme Failures

� Short-circuit� Brocken

� Time response

� Sudden Failure� Drift failure

� Point in time

� Early failure� Random Failure� Erosion failure

� Duration

� Sporadic failure

� Statistical failure

� Statistic behaviour

� Random failure

� Systematic failure

� Deterministic failure

� Number

� Single Failure

� Multiple Failures

� Cause

� Primary failure

� Sequential failures


15


� Percentage of probability of failure within a computer system

� 15 % Computer System (HW + SW)

� 35 % Input units� 50 % Output units

15%

35%

50%

Source: IEC 61508, 1996

16



� Percentage of failures within the lifecycles

44%

20%

15%

6%

15%� 44 % Specification� 20 % Changes after decision

(placing the order)� 15 % Operation and

maintenance � 15 % Design and

implementation� 06 % Setup and commissioning

Source: HSE, Out of Control; Why control systems go wrong and how to prevent failure, 2nd ed., 2003, S. 45

17



� Percentage of probability of failure within a computer system

� 15 % Computer system(HW + SW)

� 35 % Input units� 50 % Output units

15%

35%

50%

� 36 % System test� 12 % Input test� 02 % Input processing� 30 % CPU-Test� 05 % CPU-processing� 12 % Output test� 03 % Output processing

36%

12%2%

30%

5%

12% 3%

18



� Failure in applications using Safety Systems

� Hardware/Component Failures (technical Failures)

� Operating error (human error during manipulations)

� Failure when applying new technologies

� Shut down through failure in the Software

� Compatibility problems during SW-Update

� Interfaces problems when interacting SW-Products

� Manipulation errors during manual operations (emergency)

Conclusion

� Consider to relocate the error sources in the Systems

� Systematically use reliability and safety methods


19


� Reliability Technique

� Reduction of the probability failure� better components (HW and SW)� better system structures (HW and SW)� better redundancy structure (HW and SW)

� Safety technique

� Danger Exclusion� Failure exclusion (HW and SW)� Fail-safe (true fail-safe only HW)� Failure detection (HW and SW) and crossover to safe

sides

� Reliability - and Safety technique

� Combination of the previous method and techniques� Safety not at the cost of Availability and vice versa� High grade of safety and availability has to be solved

conceptual.

Methods and Procedures to improve Reliability and Safety

20


� Overview

� Reliability block diagram� Markov Model� Failure tree analysis� Petri-Nets-Method� Boolean reliability model� Bayesian Method� etc.

� About the two first methods:� Often used in the risk analysis� Produce similar results when correctly used

Methods and Procedures to improve Reliability and Safety

21


� Properties

� Not redundantly classified, i.e. each elements function Ei must be given

� Failure free operating time τ1, τ2, ..., τn of elements Element E1, E2, ..., En are independent failure values. The reliability function of each single elements is determined with

� Reliability Block Diagram

� Failure Behaviour

� All component are operating properly � System is operating properly

� at least one component fails � System fails

� Reliability function of the whole system

tii

dtt

ii

i

t

etRconsttmitetR λλ

λ −−

=⇒=∫

= )()()()(

0

∏=⋅⋅⋅=n

iin

s tRtRtRtRtR )()(...)()()( 21)(

R1 R2 Rn

Reliability Method: Systems with Redundancy

22

Problems with Recalculated Failure RatesProf. Dr.-Ing. habil. J. Börcsök 23

� Properties

� Operating until the last element fails

� Reliability Block Diagram

� Failure Behaviour

� At least one component is operating properly� System operates properly

� All components failed � System failed

� Reliability function

Element 1

Element 2

Element n

R1

R2

Rn

( ) inin

kir tRtR

i

ntR −

=

−⋅⋅

=∑ )(1)()(

Reliability Method: Systems with Redundancy


Determine the PFD ( Probability of Failure on Demand)

� Probability of Failure on Demand (PFD)

� To determine the quality of a system, it is sufficient to examine the first maintenance interval with i = 1.

� To calculate the PFDavg, the average value of the PFD-Function will be applied for the overall Proof-test interval T1.

24

( )niTitTitPtPFD iii ,...,3 ,2 ,1 with )1(for )()( 11 ∈⋅<≤⋅−=

1111 0f黵 )( TtttPFD D <≤⋅= λ

.2

111

01

1

TdttT

PFD D

T

Davg ⋅⋅=⋅⋅= ∫ λλ

T 1

P F D

P F D a v g

t0

T 1 T 1


( ) MTTRMTTRTTD

DD

D

DU

λλ

λλ ++= 1

DUDDD λλλ +=

Available diagnostic:only λDU make for PFD.

unavailable diagnostic:λDU and λDD make for PFD.

Time occurrence of dangerous non-detected failure

Time occurrence of dangerous detected failure

Determine the PFD ( Probability of Failure on Demand)

25


� MooN-System, e.g. 2oo3-System (Majority-Redundancy)

� Reliability

� Probability of Failure

� Average Lifecycle (2oo3-System)

Determine Reliability and Safety

( )∫ ⋅−⋅=T

Savg dttRT

TPFD0

)(11

)(

λλλ ⋅=

⋅−

⋅=

6

5

3

2

2

3MTTF

26

A3

A2

A1

2/3

( ) inin

kiS tRtR

i

ntR −

=

−⋅⋅

=∑ )(1)()( )(2)(3)( 32 tRtRtRS −=

−+⋅⋅

+=⋅−⋅−

6

134911)(

32 TT

avg

ee

TTPFD

λλ

λ

tetR ⋅−= λ)(

∫∞

⋅=0

)( dttRMTTF S

� For 2oo3-System


Requirements for Software safety embedded systems

� Software-Errors

� Data References

� Initialisation error

� Indexes over the limits

� Data Declaration

� Missing data declaration

� Misunderstood attribute

� Calculations

� Use different data types

� Brackets used incorrectly

� Roundoff error

27

� Comparison

� Priority of the relational operator misunderstood

� Incorrect Boolean expressions

� Thread of Control

� False criterion for loop termination

� False DO/END-Structure

� Interfaces

� Inconsistent parameters and arguments

� Misuse of constants and variables



� Reliability methods for Software development

� Two categories of methods

� Avoiding faults� High-level programming language� Structured programming� Top-down-Design� Specifications-systems and Design-systems� SW-Design tools� SW-validation and quality management

� Detect and eliminate / tolerate faults

� Programme tests and amendment

� Programme flow control

� Repetition of programme sequences

� Diversity programming

28



� Reliability methods for Software development

� Real-fail-safe-methods

� Cannot be applied in software.

� Quasi-fail-safe-methods

� Failure detection with� Program sequence monitoring� Runtime monitoring� Plausibility check� Software-diversity

Afterwards safety-related methods shall be executed.

29


Diagnostics-and Tests classification for safety embedded systems

� Foreground test

� Executed within the safety time and can be split into several cycles.

� Reaction time: Immediately after detection

� Example: Memory test

� Cyclic tests

� Executed within one cycle

� Maximal reaction time: 2 cycles

� Examples: Test of input modules, reading back and comparing of output signals

� Background test

� Detection of a second fault, after an undetected safe single failure occurred.

� Execution with in the second fault entry time and is split in many cycles.

� Reaction time: Immediately after detection.

� Example: Walking-bit Test of Input / Output modules

30


Diagnostics-and Tests classification for safety embedded systems

� The following diagnostic methods shall be applied for a safety-related architecture (depending on the SIL)

Diagnosis methods for

� electronic subsystems

� processing units

� unchangeable memory

� alterable memory

� Input / Output modules

� internal communication

� external power supply

� programme flow (logic / time)

� Clock

� communication with mass storage.

31


Numbers – But which one ?

Result: We need numbers to determine Safety!!

� PFD

� Lambda value

But which one?

� PFD from which standard

� Lambda value from which catalogue? MIL, Sintef, SN,...

32


Great: PFD Numbers

Result: PFD is good !

PFDBut which one?

� Different way’s to calculate PFD numbers e.g. ISA 84.0.02 or IEC 61508 or EN 50126/50129

� All of them are named PFD but leads to different values!

33


Different Approaches

34

� Different Values from different Standard

� 1oo1-System

MTTR)MTTR2

T

t

t)(PFD

DD1

DU

CED

CEDDDU1oo1,G

⋅+

+⋅=

⋅=⋅+=

λλ

λλλ

with

MTTR)MTTR2

Tt

D

DD1

D

DUCE ⋅+

+⋅=λ

λλ

λ

IEC/EN 61508 ISA-TR84.0.02

2

TIPFD DU

1oo1,avg ⋅= λ

Simplified Equation without

considering λDD

Dangerous failure rate (per hour) of a channel in a subsystem

Detectable dangerous failure rate (per hour) of a channel in a subsystem

Undetectable dangerous failure rate (per hour) of a channel in a subsystem

Mean time to restoration // mean time to repair (hour)

Average probability of failure on demand for the group of voted channels

Proof-test interval // time interval between manual functional tests of the components (hour)

Channel equivalent mean down time (hour)

DU

DU λλ =DDλ

MTTR

avgG PFDPFD =

Dλ

TIT1 =

CEt



35


� 1oo2-System

( )[ ]

⋅⋅+

⋅⋅⋅+

⋅=

2

TI

TIMTTR3

TIPFD

DU

DDDU

22DU

avg

λβ

λλ

λ ][( ) ( )( )

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=

MTTR2

TMTTR

tt

112PFD

1DUDDD

GECE

2

DUDDD2oo1,G

λβλβ

λβλβ

MTTR)MTTR2

Tt

D

DD1

D

DUCE ⋅+

+⋅=λ

λλ

λ

simplified equation:MTTR)MTTR

3

Tt

D

DD1

D

DUGE ⋅+

+⋅=λ

λλ

λ( )

3

TIPFD

22DU

avg

⋅= λ

with

IEC/EN 61508 ISA-TR84.0.02

Fraction of undetectable failures that have a common cause

Fraction of failures that are detectable by the diagnostic tests, fraction that have a common cause



Undetectable dangerous failure rate (per hour) of a channel in asubsystem


DU

DU λλ =

DD

DD λλ =

MTTR

DλDβ

βavgG PFDPFD =

TIT1 =

CEt

GEt

� Without considering MTTR for CCF

� Without λ DD for simplified equation




Voted group equivalent mean down time (hour)



36


� 2oo3-System

MTTR)MTTR2

Tt

D

DD1

D

DUCE ⋅+

+⋅=λ

λλ

λ

MTTR)MTTR3

Tt

D

DD1

D

DUGE ⋅+

+⋅=λ

λλ

λ

with

IEC/EN 61508 ISA-TR84.0.02

( )[ ]

⋅⋅+

⋅⋅⋅⋅+

⋅=

2

TI

TIMTTR3

TIPFD

DU

DDDU

22DU

avg

λβ

λλλ ][( ) ( )( )

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=

MTTR2

TMTTR

tt

116PFD

1DUDDD

GECE

2

DUDDD2oo1,G

λβλβ

λβλβ

( ) 22DU

avg TIPFD ⋅= λ

simplified equation: � Without considering MTTR for CCF

� Without λ DD for simplified equation

Fraction of undetectable failures that have a common cause

Fraction of failures that are detectable by the diagnostic tests, fraction that have a common cause



Undetectable dangerous failure rate (per hour) of a channel in asubsystem


DU

DU λλ =

DD

DD λλ =

MTTR

DλDβ

βavgG PFDPFD =

TIT1 =

CEt

GEt




Voted group equivalent mean down time (hour)



MTTF[years]

MTTR[h]

λλλλS[1/h]

λλλλDD[1/h]

λλλλDU[1/h]

ββββD ββββ SFF[%]

DC[%]

671,50 8 8,5E-08 8,415E-08 8,5E-10 0,01 0,02 99,5 99

671,50 8 8,5E-08 8,49915E-08 8,5E-12 0,01 0,02 99,995 99,99

37


� Example for calculating using the following values



38


� PFD calculation for a 1oo1 system:

1,00E-07

1,00E-06

1,00E-05

1,00E-04

1 ye

ar

2 ye

ars

3 ye

ars

4 ye

ars

5 ye

ars

6 ye

ars

7 ye

ars

8 ye

ars

9 ye

ars

10 y

ears

Proof-test interval T1 / TI

PF

D

1,00E-08

1,00E-07

1,00E-06

1,00E-05

1 ye

ar

2 ye

ars

3 ye

ars

4 ye

ars

5 ye

ars

6 ye

ars

7 ye

ars

8 ye

ars

9 ye

ars

10 y

ears


PF

D

PFD Diagram with DC = 99 % PFD Diagram with DC = 99,99 %

ISA-TR84

IEC 61508

According to IEC/EN 61508 with MTTR and Common-Cause-FailureAccording to ISA-TR84.0.02 with MTTR and Common-Cause-FailureAccording to ISA-TR84.0.02 without MTTR and without Common-Cause-Failure



39


� PFD calculation for a 1oo2 system:

1,00E-14

1,00E-13

1,00E-12

1,00E-11

1,00E-10

1,00E-09

1,00E-08

1,00E-07

1,00E-06

1 ye

ar

2 ye

ars

3 ye

ars

4 ye

ars

5 ye

ars

6 ye

ars

7 ye

ars

8 ye

ars

9 ye

ars

10 y

ears


PF

D

1,00E-18

1,00E-17

1,00E-16

1,00E-15

1,00E-14

1,00E-13

1,00E-12

1,00E-11

1,00E-10

1,00E-09

1,00E-08

1,00E-07

1 ye

ar

2 ye

ars

3 ye

ars

4 ye

ars

5 ye

ars

6 ye

ars

7 ye

ars

8 ye

ars

9 ye

ars

10 y

ears


PF

D

ISA-TR84

IEC 61508

Simplified equation according to ISA-TR84

PFD Diagram with DC = 99 % PFD Diagram with DC = 99,99 %

According to IEC/EN 61508 with MTTR and Common-Cause-FailureAccording to ISA-TR84.0.02 with MTTR and Common-Cause-FailureAccording to ISA-TR84.0.02 without MTTR and without Common-Cause-Failure


Second chance: λ – figures

New Result: λ λ λ λ is good !

λBut which one?

� Different way’s to calculate and find λ figures e.g. MIL, SINTEF, SN 29500, etc.

� All of them are named λ but have sometimes different values!

40


Failure rate λD solved by PFD of 1oo1-Components

To calculate λλλλD:

( )

⋅+

+⋅−⋅=

⋅+

+⋅=

⋅+

+⋅⋅=

⋅=−

MTTRDCMTTRT

DC

MTTRMTTRT

MTTRMTTRT

tPFD

D

DDDU

D

DD

D

DUD

CED

21

2

2

1

1

1

comp.1oo1

λ

λλ

λλ

λλλ

λ

41

PFD: Failure Probability on

Demand

T1: Proof-Test-Interval

MTTR: Mean Time to Repair

tCE: Channel equivalent mean

down time

DC: Diagnostic coverage

λD: Failure rate, dangerous

λDD: Failure rate, dangerous,

detected

λDU: Failure rate, dangerous,

undetected

CED t

PFD comp.1oo1−=λ must be known: DC, T1, MTTR and PFD1oo1-Comp.



For SIL 3 / SIL 4 components:

( ) ( )failure causecommon ccf_failure normalnf_ PFDPFD <<

( ) ( )[ ]

( )( )failure causecommon ccf_

failure normalnf_

2

112

1

2Comp.1oo2

PFD

PFD

MTTRT

MTTR

ttPFD

DUDDD

GECEDUDDD

+=

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=−

λβλβ

λβλβ

42


Demand




down time

tGE: Voted group equivalent

mean down time

DC: Diagnostics coverage



detected


undetected

β: Beta-Factor for CCF λDUβD: Beta-D-Factor for CCF λDD

+⋅⋅+⋅⋅≈− MTTRT

MTTRPFD DUDUDDD 21

comp.1oo2 λβλβ


Failure rate λD solved by PFD of 1oo2-Comp.(approximate approach)

43

( )

+⋅−⋅+⋅⋅⋅≈

+⋅⋅+⋅⋅≈−

MTTRT

DCMTTRDC

MTTRT

MTTRPFD

DD

DUDDD

21

2

1

1comp.1oo2

ββλ

λβλβ

to calculate λλλλD:

( )

+⋅−⋅+⋅⋅≈ −

MTTRT

DCMTTRDC

PFD

D

D

21 1

comp.1oo2

ββλ Must be known:

DC, T1, MTTR , ββββ, ββββD and PFD1oo2-comp.

PFD: Failure Probability on Demand




down time


mean down time




detected


undetected



Failure rate λD solved by PFD of 1oo2-Comp.(rigorous approach)

( ) ( )[ ]

( ) ( ) ( )[ ]

( )

DD

DD

GECEDD

DUDDD

GECEDUDDD

BA

MTTRT

DCMTTRDC

ttDCDC

MTTRT

MTTR

ttPFD

λλ

ββλ

λββ

λβλβ

λβλβ

⋅+⋅=

+⋅−⋅+⋅⋅⋅+

⋅⋅⋅−⋅−+⋅−⋅=

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=−

2

1

22

1

2comp.1oo2

21

1112

2

112

( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21112 ββ

( )

+⋅−⋅+⋅⋅= MTTRT

DCMTTRDCB D 21 1ββ

( ) MTTRDCMTTRT

DCtCE ⋅+

+⋅−=2

1 1

44

( ) MTTRDCMTTRT

DCtGE ⋅+

+⋅−=3

1 1

with

Parameter independent from failure rate, only dependent from system parameters!

Quadratic Equation, can be solved for λλλλD !





down time


mean down time




detected


undetected




A

PFDABBD ⋅

⋅⋅+±−=

−

2

4 comp.1oo22

λ

( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21112 ββ

( )

+⋅−⋅+⋅⋅= MTTRT


( ) MTTRDCMTTRT

DCtCE ⋅+

+⋅−=2

1 1

45

( ) MTTRDCMTTRT

DCtGE ⋅+

+⋅−=3

1 1

with

Minus-Variable does not make sense , since λD would be negative.





down time


mean down time




detected


undetected





For SIL 3 / SIL 4 Components (as for 1oo2-System):

( ) ( )failure cause common _ccffailure normal _nf PFDPFD <<

( ) ( )[ ]

( )( )failure causecommon _ccf

failure normal _nf

2

116

1

2comp.2oo3

PFD

PFD

MTTRT

MTTR

ttPFD

DUDDD

GECEDUDDD

+=

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=−

λβλβ

λβλβ

46

+⋅⋅+⋅⋅≈− MTTRT

MTTRPFD DUDUDDD 21

comp.2oo3 λβλβ





down time


mean down time




detected


undetected





47

( )

+⋅−⋅+⋅⋅⋅≈

+⋅⋅+⋅⋅≈−

MTTRT

DCMTTRDC

MTTRT

MTTRPFD

DD

DUDDD

21

2

1

1comp.2oo3

ββλ

λβλβ

To calculate λλλλD

( )

+⋅−⋅+⋅⋅≈ −

MTTRT

DCMTTRDC

PFD

D

D

21 1

comp.2oo3

ββλ

Must be known:

DC, T1, MTTR , ββββ, ββββD and PFD1oo2-comp.





down time


mean down time




detected


undetected


Element 1

Element 2

2oo3-Components

Element 3



( ) ( )[ ]

( ) ( ) ( )[ ]

( )

DD

DD

GECEDD

DUDDD

GECEDUDDD

BA

MTTRT

DCMTTRDC

ttDCDC

MTTRT

MTTR

ttPFD

λλ

ββλ

λββ

λβλβ

λβλβ

⋅+⋅=

+⋅−⋅+⋅⋅⋅+

⋅⋅⋅−⋅−+⋅−⋅=

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=−

2

1

22

1

2comp.2oo3

21

1116

2

116

( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21116 ββ

( )

+⋅−⋅+⋅⋅= MTTRT


( ) MTTRDCMTTRT

DCtCE ⋅+

+⋅−=2

1 1

48

( ) MTTRDCMTTRT

DCtGE ⋅+

+⋅−=3

1 1

withQuadratic Equation, can be solved for λλλλD!




detected


undetected



Demand




down time


mean down time


Element 1

Element 2

2oo3-Components

Element 3



A

PFDABBD ⋅

⋅⋅+±−=

−

2

4 comp.2oo32

λ

( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21116 ββ

( )

+⋅−⋅+⋅⋅= MTTRT


( ) MTTRDCMTTRT

DCtCE ⋅+

+⋅−=2

1 1

49

( ) MTTRDCMTTRT

DCtGE ⋅+

+⋅−=3

1 1

Minus-Variable does not make sense , since λD would be negative.

with




detected


undetected



Demand




down time


mean down time


Element 1

Element 2

2oo3-Components

Element 3


Failure rate λD solved by PFD of simple mixed SIS

Question: How is the ratio?

2

1

PFD

PFD

50

21SIS simple total, PFDPFDPFD +=

Known are: PFDtotal , DCtotal , SFFtotal , T1, MTTR

2

1

DC

DCand Answer: Generally unknown!

2

1

D

D

λλand

PFD_nf PFD_ccf





down time


mean down time




detected


undetected


1oo1-components

Element 1

Element 2

1oo2-Components




51

( )

( )

+⋅−⋅+⋅⋅⋅+

+⋅−+⋅⋅≈

MTTRT

DCMTTRDC

MTTRT

DCMTTRDCPFD

DD

D

21

21

1222

1111SIS simple total,

ββλ

λ

unknown





down time


mean down time




detected


undetected


PFD_nf PFD_ccf

1oo1-components

Element 1

Element 2

1oo2-Components


Failure rate λD solved by PFD of complex SIS

52

∑=i

iPFDPFD SubsystemSIScomplex total,


No Chance to define the failure rate λλλλD , even not approximately!



� To calculate λλλλD:

( )

⋅+

+⋅−⋅=

⋅+

+⋅=

⋅+

+⋅⋅=

⋅=−

MTTRDCMTTRT

DC

MTTRMTTRT

MTTRMTTRT

tPFD

D

DDDU

D

DD

D

DUD

CED

21

2

2

1

1

1

comp.1oo1

λ

λλ

λλ

λλλ

λ

53




tCE: Channel equivalent mean down time

DC: Diagnostic coverage



detected


undetected

CED t

PFD comp.1oo1−=λ must be known: DC, T1, MTTR and PFD1oo1-Comp.


Failure rate λD solved by PFD of 1oo2-Comp.(approximate approach)

54

( )

+⋅−⋅+⋅⋅⋅≈

+⋅⋅+⋅⋅≈−

MTTRT

DCMTTRDC

MTTRT

MTTRPFD

DD

DUDDD

21

2

1

1comp.1oo2

ββλ

λβλβ

To calculate λλλλD:

( )

+⋅−⋅+⋅⋅≈ −

MTTRT

DCMTTRDC

PFD

D

D

21 1

comp.1oo2

ββλ

Must be known:

DC, T1, MTTR , ββββ, ββββD

and PFD1oo2-comp.


Demand




down time

tGE: Voted group equivalent mean

down time




detected


undetected

β: Beta-Factor for CCF λDU

βD: Beta-D-Factor for CCF λDD


( ) ( )[ ]

( ) ( ) ( )[ ]

( )

DD

DD

GECEDD

DUDDD

GECEDUDDD

BA

MTTRT

DCMTTRDC

ttDCDC

MTTRT

MTTR

ttPFD

λλ

ββλ

λββ

λβλβ

λβλβ

⋅+⋅=

+⋅−⋅+⋅⋅⋅+

⋅⋅⋅−⋅−+⋅−⋅=

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=−

2

1

22

1

2comp.1oo2

21

1112

2

112

( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21112 ββ

( )

+⋅−⋅+⋅⋅= MTTRT


( ) MTTRDCMTTRT

DCtCE ⋅+

+⋅−=2

1 1

55

( ) MTTRDCMTTRT

DCtGE ⋅+

+⋅−=3

1 1

with


Quadratic Equation, can be solved for λλλλD !

Failure rate λD solved by PFD of 1oo2-Comp.(rigerous approach)


Demand




down time


down time




detected


undetected




A

PFDABBD ⋅

⋅⋅+±−=

−

2

4 comp.1oo22

λ

( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21112 ββ

( )

+⋅−⋅+⋅⋅= MTTRT


( ) MTTRDCMTTRT

DCtCE ⋅+

+⋅−=2

1 1

56

( ) MTTRDCMTTRT

DCtGE ⋅+

+⋅−=3

1 1

with

� For the experts: Minus-Variable does not make sense , since λD would be negative.


Failure rate λD solved by PFD of 1oo2-Comp.(rigerous approach)


Demand




down time


down time




detected


undetected





� For SIL 3 / SIL 4 Components (as for 1oo2-System):

( ) ( )failure cause common _ccffailure normal _nf PFDPFD <<

( ) ( )[ ]

( )( )failure causecommon _ccf

failure normal _nf

2

116

1

2comp.2oo3

PFD

PFD

MTTRT

MTTR

ttPFD

DUDDD

GECEDUDDD

+=

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=−

λβλβ

λβλβ

57

+⋅⋅+⋅⋅≈− MTTRT

MTTRPFD DUDUDDD 21

comp.2oo3 λβλβ


Demand




down time


down time




detected


undetected





� For SIL 3 / SIL 4 components:

58

( )

+⋅−⋅+⋅⋅⋅≈

+⋅⋅+⋅⋅≈−

MTTRT

DCMTTRDC

MTTRT

MTTRPFD

DD

DUDDD

21

2

1

1comp.2oo3

ββλ

λβλβ


( )

+⋅−⋅+⋅⋅≈ −

MTTRT

DCMTTRDC

PFD

D

D

21 1

comp.2oo3

ββλ

Must be known:

DC, T1, MTTR , ββββ, ββββD

and PFD1oo2-comp.


Demand




down time


down time




detected


undetected





( ) ( )[ ]

( ) ( ) ( )[ ]

( )

DD

DD

GECEDD

DUDDD

GECEDUDDD

BA

MTTRT

DCMTTRDC

ttDCDC

MTTRT

MTTR

ttPFD

λλ

ββλ

λββ

λβλβ

λβλβ

⋅+⋅=

+⋅−⋅+⋅⋅⋅+

⋅⋅⋅−⋅−+⋅−⋅=

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=−

2

1

22

1

2comp.2oo3

21

1116

2

116

( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21116 ββ

( )

+⋅−⋅+⋅⋅= MTTRT


( ) MTTRDCMTTRT

DCtCE ⋅+

+⋅−=2

1 1

59

( ) MTTRDCMTTRT

DCtGE ⋅+

+⋅−=3

1 1

withQuadratic Equation, can be solved for λλλλD!





detected


undetected




Demand




down time


mean down time



A

PFDABBD ⋅

⋅⋅+±−=

−

2

4 comp.2oo32

λ

60

� Minus-Variable does not make sense , since λD would be negative.




detected


undetected




Demand




down time


mean down time

( ) ( ) ( )[ ] GECED ttDCDCA ⋅⋅−⋅−+⋅−⋅= 21116 ββ

( )

+⋅−⋅+⋅⋅= MTTRT


( ) MTTRDCMTTRT

DCtCE ⋅+

+⋅−=2

1 1

( ) MTTRDCMTTRT

DCtGE ⋅+

+⋅−=3

1 1

with




Question: How is the ratio?

1oo1-Components

Element 1

Element 2

1oo2-components

2

1

PFD

PFD

61

21SIS simple total, PFDPFDPFD +=


2

1

DC

DCand

Answer: Generally unknown! 2

1

D

D

λλ

and

PFD_nf PFD_ccf


Demand




down time


down time




detected


undetected




( )

( )

+⋅−⋅+⋅⋅⋅+

+⋅−+⋅⋅≈

MTTRT

DCMTTRDC

MTTRT

DCMTTRDCPFD

DD

D

21

21

1222

1111SIS simple total,

ββλ

λ



62

unknown


Demand




down time


down time




detected


undetected



1oo1-Components

Element 1

Element 2

1oo2-components

PFD_nf PFD_ccf


Failure rate λD solved by PFD of complex SIS

63

∑=i

iPFDPFD SubsystemSIScomplex total,


No chance to define the failure rate λλλλD , even not approximately!


λλλλD_1oo1 4.10E-07 1/h

DC 99 %

T1 10 years

MTTR 8 h

tCE 466 h

PFDavg 1.8286E-04

λλλλD_total 5.26E-06 1/h

DC 99 %

ββββD 1 %

ββββ 2 %

T1 10 years

MTTR 8 h

tCE 466 h

tGE 300 h

PFD_nFPFD_ccF

1.890281E-044.287788E-05

PFDavg 2.319060E-04

64

λλλλD_1oo2 4.85E-06 1/h

DC 99 %

ββββD 1 %

ββββ 2 %

T1 10 years

MTTR 8 h

tCE 466 h

tGE 300 h

PFD_nFPFD_ccF

6.168112E-064.287788E-05

PFDavg 4.904599E-05

1oo1-Components 1oo2-Components Mixed System



λDD: Failure rate, dangerous, detected

λDU: Failure rate, dangerous, undetected







down time

Calculation Ex. 10 (mixed Sys., approx. solution, λλλλD_1oo1 < λλλλD_1oo2)


λλλλD_1oo1 4.10E-07 1/hλλλλD_total 5.26E-06 1/h

DC 99 %

ββββD 1 %

ββββ 2 %

T1 10 years

MTTR 8 h

tCE 466 h

tGE 300 h

PFD_nFPFD_ccF

1.890281E-044.287788E-05

PFDavg 2.319060E-04

65

λλλλD_1oo2 4.85E-06 1/h

Mixed System











down time

Calculation Ex. 10a (mixed Sys., approx. solution, λλλλD_1oo1 < λλλλD_1oo2)


(backwards calculation with 1oo1 equation):

CED t

PFD System mixed=λ

λλλλD = 5.199686E-07 1/h

∆∆∆∆ ≈ Factor 10



(backwards calculation with 1oo2-approx. equation):

λλλλD = 2.62313E-05 1/h

( )

+⋅−⋅+⋅⋅≈

MTTRT

DCMTTRDC

PFD

D

D

21 1

System mixed

ββλ

Calculation Ex. 10b (mixed Sys., approx. solution, λλλλD_1oo1 < λλλλD_1oo2)











down time


DC 99 %

ββββD 1 %

ββββ 2 %

T1 10 years

MTTR 8 h

tCE 466 h

tGE 300 h

PFD_nFPFD_ccF

1.890281E-044.287788E-05

PFDavg 2.319060E-04

λλλλD_1oo2 4.85E-06 1/h

Mixed System

∆∆∆∆ ≈ 80 %


λλλλD = 1.732677E-05 1/h

∆∆∆∆ ≈ 70 %

A

PFDABBD ⋅

⋅⋅+±−=

−

2

4 comp.1oo22

λ

Calculation Ex. 10c (mixed Sys., approx. solution, λλλλD_1oo1 < λλλλD_1oo2)











down time


DC 99 %

ββββD 1 %

ββββ 2 %

T1 10 years

MTTR 8 h

tCE 466 h

tGE 300 h

PFD_nFPFD_ccF

1.890281E-044.287788E-05

PFDavg 2.319060E-04

λλλλD_1oo2 4.85E-06 1/h

Mixed System


(backwards calculation with 1oo2-exact equation):


λλλλD = 4.866056E-06 1/h

∆∆∆∆ ≈ 0.32 %

A

PFDABBD ⋅

⋅⋅+±−=

−

2

4 comp.1oo22

λ

Calculation Ex. 11 (mixed Sys., approx. solution, λλλλD_1oo1 << λλλλD_1oo2)











down time

λλλλD_1oo2 4.85E-06 1/h

Mixed System


(backwards calculation with 1oo2-exact equation):


DC 99 %

ββββD 1 %

ββββ 2 %

T1 10 years

MTTR 8 h

tCE 466 h

tGE 300 h

AB

262221.778 h2

8.8408 h

PFDavg 2.319060E-04


λλλλD = 4.100962E-07 1/h

∆∆∆∆ ≈ -1.16 %

Calculation Ex. 12 (mixed Sys., approx. solution, λλλλD_1oo1 >> λλλλD_1oo2)











down time

Mixed System


(backwards calculation with 1oo1 equation):

λλλλD_total 4.1485E-07 1/h

DC 99 %

ββββD 1 %

ββββ 2 %

T1 10 years

MTTR 8 h

tCE 466 h

tGE 300 h

AB

262221.778 h2

8.8408 h

PFDavg 2.319060E-04

λλλλD_1oo1 4.10E-07 1/h λλλλD_1oo2 4.85E-09 1/h

CED t

PFD System mixed=λ


Comparison, Complex System

0,00%

100,00%

200,00%

300,00%

400,00%

500,00%

600,00%

700,00%

800,00%

900,00%

1000,00%

1 2 3

l_D_1oo1 < l_D_1oo2

Reihe1

λλλλD_total, calc.

[1/h]Abs. ∆∆∆∆-Factor

[%]

Calc. with 1oo1-Eq. 5.20E-07 911.60

Calc. with appr.1oo2-Eq. 2.62E-05 79.95

Calc. with exact 1oo2-Eq. 1.73E-05 69.64

70


Mixed SystemλλλλD_total 5.26E-06 1/h

�λλλλD_1oo1 < λλλλD_1oo2

Under this condition we have NO chance to calculate back !!



0,00%

500,00%

1000,00%

1500,00%

2000,00%

2500,00%

3000,00%

3500,00%

4000,00%

4500,00%

1 2 3

l_D_1oo1 << l_d_1oo2

Reihe1



[%]

Calc. with 1oo1-Eq. 1.10E-07 4294.34

Calc. with appr. 1oo2-Eq. 5.57E-06 12.89


71



�λλλλD_1oo1 << λλλλD_1oo2

Under this condition we get different values in back calculation !!



0,00%

10,00%

20,00%

30,00%

40,00%

50,00%

60,00%

70,00%

80,00%

90,00%

100,00%

1 2 3

l_D_1oo1 >> l_D_1oo2

Reihe1



[%]

Calc. with 1oo1-Eq. 4.10E-07 1.16

Calc. with appr. 1oo2-Eq. 2.07E-05 97.99


72



�λλλλD_1oo1 >> λλλλD_1oo2

Under this condition we get different values in back calculation !!


This table provides simplified equations for calculating the PFDavg

for the key elements in a SIS. Once the PFD

avgfor each element is known, a SIL can be determined.

Table 1 Simplified equations for calculating PFDavg

Description EquationVariables

(supplied by the manufacturer)

SensorsTo calculate PFDavgfor sensors (2oo3)

PFDavg = (λDU TI)2

λ = failure rateDU = dangerous, undetected failure rateTI = test interval in hours

Block Valves

To calculatePFDavgfor block valves (1oo2) in series (final elements)

PFDavg =1/3 (λ

DU TI)2λ = failure rateDU= dangerous, undetected failure rateTI= test interval in hours

SystemTo calculate PFDavgfor a system

System PFDavg =Sensors PFDavg +Block valves PFDavg +Controller PFDavg

To determine the SIL, compare the calculates PFDavg to the figure on page 5. In this example, the system is acceptable as a SIS for use in SIL3 applications.

Table 2 Determining the SIL using the Equations

λDU TI PFD Result

Pressure Transmitters (2oo3) 2.28E-06 4380 1.00E-04

Temperature transmitter (2oo3) 2.85E-06 4380 1.56E-04

Total for sensors 2.56E-04

Block valve (1oo2) 2.28E-06 4380 3.33E-05

Total for Block valves 3.33E-05

Controller 2.00E-05

PFDavg for System 3.09E-04

Datas from the Internet: Datasheet XY-System

( )2*TIPFD DUavg λ=

( )2**3

1TIPFD DU

avg λ=

73

Extract from XY-System on the Internet

� Simplified ISA-Equations:

� PFD-calculations for only one proof test intervalfor TI = ½ year!

� no specification for TI

� no specification for PFD-value

� only specification for λλλλ_DU


This table provides simplified equations for calculating the PFDavg

for the key elements in a SIS. Once the PFD

avgfor each element is known, a SIL can be determined.

Table 1 Simplified equations for calculating PFDavg

Description EquationVariables

(supplied by the manufacturer)

SensorsTo calculate PFDavgfor sensors (2oo3)

PFDavg = (λDU TI)2

λ = failure rateDU = dangerous, undetected failure rateTI = test interval in hours

Block Valves

To calculatePFDavgfor block valves (1oo2) in series (final elements)

PFDavg =1/3 (λ

DU TI)2λ = failure rateDU= dangerous, undetected failure rateTI= test interval in hours

SystemTo calculate PFDavgfor a system

System PFDavg =Sensors PFDavg +Block valves PFDavg +Controller PFDavg

To determine the SIL, compare the calculates PFDavg to the figure on page 5. In this example, the system is acceptable as a SIS for use in SIL3 applications.

Table 2 Determining the SIL using the Equations

λDU TI PFD Result

Pressure Transmitters (2oo3) 2.28E-06 4380 1.00E-04

Temperature transmitter (2oo3) 2.85E-06 4380 1.56E-04

Total for sensors 2.56E-04

Block valve (1oo2) 2.28E-06 4380 3.33E-05

Total for Block valves 3.33E-05

Controller 2.00E-05

PFDavg for System 3.09E-04

Datas from the Internet: Datasheet XY-System

( )22oo3 , *TIPFD DUavg λ=

74

� Simplified ISA-Equations:

with

� λλλλ_DU = 2.00E-05 1/h� TI = ½ year

Discrepancy!SIL 2 !!Extract from XY-System on the Internet

is

� PFDavg, Controller = 7.67E-03

Results for the complete loop:

� PFDavg, total = 7.96E-03

But specified:

� PFDavg, total = 3.09E-04


Comparison HIMax – XY-Controller, exact eq.

XY-Controller(2oo3)

HIMax

λλλλ_DU [1/h] 2.00E-05

X-AI 32 01 (1oo2): 6.86E-09X-CPU 01 (1oo2): 4.55E-09X-SB 01 (1oo2): 3.93E-09X-DO 24 01 (1oo2): 6.77E-09

λλλλ_DD [1/h] with DC = 99 %:1.93E-03

X-AI 32 01 (1oo2): 9,56E-07X-CPU 01 (1oo2): 1.21E-06X-SB 01 (1oo2): 8.20E-07X-DO 24 01 (1oo2): 9.48E-07

ββββ 2 % 2 %

T1 ½ Year ½ Year

PFDavg 1.27E-02 9.70E-07

( )

2**

****3*2

2oo3 ,

TI

TIMTTRTIPFD

DU

DDDUDUavg

λβ

λλλ

+

+= ( )

2

1**

***3

*2

1oo2 ,

T

TIMTTRTI

PFD

DU

DDDUDU

avg

λβ

λλλ

+

+=

75

SIL 1 !! ∆∆∆∆ ≈ 10 4 in favour


Comparison HIMax – XY-Controller, with IEC 61508

XY-Controller(2oo3)

HIMax

λλλλ_DU [1/h] 2.00E-05


λλλλ_DD [1/h] with DC = 99 %:1.93E-03


ββββ 2 % 2 %

T1 ½ Year ½ Year

PFDavg 1.69E-02 1.29E-06

( ) ( )[ ]

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=

MTTRT

MTTR

ttPFD

DUDDD

GECEDUDDDavg

2

116

1

22oo3 ,

λβλβ

λβλβ ( ) ( )[ ]

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=

MTTRT

MTTR

ttPFD

DUDDD

GECEDUDDDavg

2

112

1

21oo2 ,

λβλβ

λβλβ

76∆∆∆∆ ≈ 10 4 in favourSIL 1 !!


Comparison HIMax – XY-Controller, with IEC 61508

XY-Controller(2oo3)

HIMax

λλλλ_DU [1/h] 2.00E-05


λλλλ_DD [1/h] with DC: 99 %:1.93E-03


ββββ 2 % 2 %

T1 10 Year 10 Year

PFDavg 3.16 2.00E-05

( ) ( )[ ]

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=

MTTRT

MTTR

ttPFD

DUDDD

GECEDUDDDavg

2

116

1

22oo3 ,

λβλβ

λβλβ ( ) ( )[ ]

+⋅⋅+⋅⋅+

⋅⋅⋅−+⋅−⋅=

MTTRT

MTTR

ttPFD

DUDDD

GECEDUDDDavg

2

112

1

21oo2 ,

λβλβ

λβλβ

77

∆∆∆∆ ≈ 10 5 in favour


� We have to believe in safety parameters!

� We have to know how and who have generated these

� Best way follow the TÜV data-base!

� For calculating lops use a certified calculation program like

SILCas!

Conclusion

78

Thank you for your attention.

problems with recalculated failure rates · statistical failure statistic behaviour random failure...

Documents